b'                                                       Appendix III\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and\nNetwork Logs\n\n\n\n\n                                                           March 16, 2012\n                                                           Report No. 500\n\nAssessment and Review Conducted by C5i Federal, Inc.\n\n                         REDACTED PUBLIC VERSION\n\x0c                                                 UNITED STATES\n\n                             SECURITIES AND EXCHANGE COMMISSION\n                                         WASHINGTON, D.C.      20549\n\n\n\n\nINSPECTO" GENERAl\n\n\n\n\n                                       MEMORANDUM\n\n                                                 March 16, 2012\n\n\n          To:              Thomas A. Sayer, Chief Information Officer. Office of Information\n\n\n\n                                             \xef\xbf\xbd\n                             Technology (OIT)\n\n           From:           Noelle Maloney.   c     Inspector General, Office of Inspector\n                             General (OIG)\n\n\n          Subject:         Assessment of SE      s System and Networ/{ Logs, Report No. 500\n\n           This memorandum transmits the U.S. Securities and Ey.r\xef\xbf\xbdhange Commission OIG\'s\n           final report detailing the results on our assessment of SEC\'s system and network\n          logs. This review was conducted as part of our continu<..\'us effort to assess\n          management of the Commission\'s programs and operations and as a part of our\n          annual audit plan.\n\n\n           The final report contains eight recommendations which if fully implemented should\n           strengthen OIT\'s controls over the Commission\'s system and network logs. OIT\n           concurred with all the recommendations. Your written response to the draft report is\n           included in Appendix VI.\n\n          Within the next 45 days, please provide the OIG with a written corrective action plan\n           that is designed to address the recommendations. The corrective action plan should\n           include information such as the responsible official/pojn\xef\xbf\xbd of contact, timeframes for\n           completing required actions, and milestones identifying how you will address the\n           recommendations.\n\n           Should you have any questions regarding this report, p(!:<lse do not hesitate to\n           contact me. We appreciate the courtesy and cooperation thai you and your staff\n           extended to our audit staff and contractors.\n\n\n          Attachment\n\n           cc:      James R. Burns, Deputy Chief of Siaff, Office of the Chairman\n                    Luis A. Aguilar, Commissioner\n                    Troy A. Paredes, Commissioner\n                    Elisse 8. Walter, Commissioner\n                    Daniel M. Gallagher, Commissioner\n                    Jeff Heslop, Chief Operating Officer, Office of Chief of Operations\n                    Todd Scharf, Chief Information Security Officer. Office of Information\n                     Technology\n\n\n\n\n        Assessment of SEC\xe2\x80\x99s System and Network Logs                                      March 16, 2012\n        Report No. 500\n                                                Page i\n                                       REDACTED PUBLIC VERSION\n\x0cAssessment of SEC\xe2\x80\x99s System and\nNetwork Logs\n\n                              Executive Summary\nBackground. In August 2010, the U.S. Securities and Exchange Commission\n(SEC or Commission) Office of Inspector General (OIG) contracted with C5i\nFederal, Inc. (C5i) to assist with the completion and coordination of OIG\xe2\x80\x99s input to\nthe Commission\xe2\x80\x99s response to the Office of Management and Budget (OMB)\nMemorandum M-10-15, FY 2010 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management. 1 The\nresponse was completed and submitted to OMB in November 2010 and reported\non by the OIG in its report, 2010 Annual FISMA Executive Summary Report. 2 As\npart of its work, C5i conducted an assessment and review of the SEC\xe2\x80\x99s\ncontinuous monitoring of information technology operations audit logs, and the\nOIG documented the results of the assessment report Assessment of SEC\xe2\x80\x99s\nContinuous Monitoring Program. 3 During its assessment of the SEC\xe2\x80\x99s\ncontinuous monitoring program, C5i found\xe2\x80\x94based on its review of a judgmental\nsample number of                                logs and                     server\nlogs\xe2\x80\x94that the SEC Office of Information Technology (OIT) was capturing user\nidentification and log-in/log-out times on\n                                     However, C5i was unable to verify whether all\nlog settings and user activities were being captured for all servers. As a result,\non May 17, 2011, the OIG modified its contract with C5i to conduct an in-depth\ntechnical assessment of a sample of the\n                                   located within the SEC\xe2\x80\x99s enterprise network, 4 to\ndetermine whether audit log data were being captured consistent with the\nrequirements of the Federal Information Security Management Act (FISMA),\nFederal Information Processing Standards (FIPS), and the National Institute of\nStandards and Technology (NIST) guidelines.\n\nObjectives. The overall objective of this review was to independently evaluate\nand report on how the Commission has implemented information security\nrequirements for audit log management, including the generation, review,\nprotection, and retention of audit logs. An additional objective was to review\nsystem and network logs in the SEC enterprise network, access controls to logs,\ncontrols over log management and analysis, data log collection, and log storage.\n\n1\n  Office of Management and Budget, Memorandum 10-15, FY 2010 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management,\nhttp://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-15.pdf.\n2\n  OIG, 2010 Annual FISMA Executive Summary Report, Report No. 489 (Mar. 3, 2011).\n3\n  OIG, Assessment of SEC\xe2\x80\x99s Continuous Monitoring Program, Report No. 497 (Aug. 11, 2011).\n4\n  The sample includes SEC\xe2\x80\x99s operations center, headquarters and the regional offices.\nAssessment of SEC\xe2\x80\x99s System and Network Logs                                       March 16, 2012\nReport No. 500\n                                      Page ii\n                              REDACTED PUBLIC VERSION\n\x0cResults. C5i\xe2\x80\x99s technical assessment of SEC\xe2\x80\x99s system and network logs found\nthat audit log events were not captured for all                   servers. C5i\xe2\x80\x99s\nreview consisted of comparing server logs collected by the OIG in February 2011\nwith logs that were collected in June 2011, as well as reviewing additional\nservers that were located in the SEC\xe2\x80\x99s Enterprise network. Specifically,\nservers in C5i\xe2\x80\x99s judgmental sample did not log auditable events because the\nserver\xe2\x80\x99s logging capacity had been exceeded. Also, there is no mechanism in\nplace to alert OIT\xe2\x80\x99s Servers and Storage Branch or OIT\xe2\x80\x99s Security Branch when\nservers have reached their capacity and stopped performing logging functions.\nC5i found that the OIT Servers and Storage Branch did not actively monitor\nserver logs and did not have an alerting mechanism to provide notification of\nwhen a sever was no longer logging events. Although OIT\xe2\x80\x99s Security Branch\nmonitors logs, an alerting mechanism does not exist. Both the OIT Servers and\nStorage Branch and the OIT Security Branch were unaware that the three\nservers were not logging events.\n\nC5i also found that OIT\xe2\x80\x99s policies and procedures for audit log capture and\nmanagement were outdated and do not clearly define required components such\nas roles and responsibilities. C5i reviewed five formal, documented policies and\nprocedures specific to audit log capture and management. C5i found that only\none of these policies was current and the other policies had not been reviewed or\nupdated based on the \xe2\x80\x9canticipated review date\xe2\x80\x9d identified in each policy. In\naddition, C5i found that OIT does not have documented policies and procedures\nfor application database log management. Further, our review of log capture and\nlog management (including capacity planning and identification of roles and\nresponsibilities of persons involved in log management) found that OIT does not\nhave documented policies and procedures for reviewing server logs to ensure\nthat log capacity has not been exceeded or for alerting OIT officials when the\ncapacity is exceeded. In previously-issued reports the OIG found that OIT\xe2\x80\x99s\nsecurity policies and procedures were outdated but none of the policies and\nprocedures were related specifically to logs. OIT is aware that the vast majority\nof their policies and procedures are outdated and has taken action to address\nthis matter.\n\nAdditionally, C5i found         servers identified as decommissioned were still\nactively connected to the SEC\xe2\x80\x99s Enterprise networks and were still accessible.\nFurther, C5i found that one of the servers had stopped performing logging\nfunctions. Decommissioned servers remained accessible on the SEC network\nand, of those examined, one was not capturing logs.\n\nAlso, C5i found that logs are not generated consistently for application databases\nbecause the audit trail functionality that is built into the database is not always\navailable, which has resulted in OIT not being able to capture logs for all\nauditable events. OIT informed C5i that resources have now been dedicated to\naddress this matter.\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                        March 16, 2012\nReport No. 500\n                                 Page iii\n                         REDACTED PUBLIC VERSION\n\x0cLastly, OIT\xe2\x80\x99s Servers and Storage Branch and OIT\xe2\x80\x99s Security Branch do not have\nan alerting mechanism to notify appropriate personnel when\nare full or have stop performing logging functions. Although OIT does not have\nan alerting mechanism to notify it when logs are no longer performing logging\nfunctions, OIT informed C5i that the office plans to deploy a tool that will provide\nOIT with this capability in the near future.\n\nSummary of Recommendations. We recommend OIT take the following\nactions to enhance the SEC\xe2\x80\x99s system and network logs.\n\n     (1) OIT should identify capacity requirements for all servers, ensure\n         sufficient capacity is available for the storage of audit records,\n         configure auditing to reduce the likelihood that capacity will be\n         exceeded, and implement an alerting mechanism to alert and notify\n         appropriate office/divisions when log storage capacity is reached.\n\n     (2) When updating its policies and procedures, OIT should include log\n         management language that\n\n              \xe2\x80\xa2   Identifies the roles and responsibilities of staff who are\n                  involved in log management,\n              \xe2\x80\xa2   requires server logs to be periodically reviewed to check\n                  whether log capacity has been exceeded, and\n              \xe2\x80\xa2   requires appropriate OIT officials be notified when audit\n                  logging functions are suspended when log storage\n                  capacity has reached its limit.\n\n     (3) OIT should review and update all logging policies and procedures\n         consistent with the policy\xe2\x80\x99s review interval requirements and retain\n         evidence of its reviews and any updates to the policy.\n\n     (4) OIT should ensure that all servers connected to the Commission\xe2\x80\x99s\n         enterprise network are configured to have logging enabled.\n\n     (5) OIT should update Server Decommission Guidelines and include\n         language to fully document each action that should be performed when\n         decommissioning a server. OIT should also develop a server\n         decommissioning checklist to be included in the Server Decommission\n         Guidelines.\n\n     (6) OIT should conduct a review of application database log management\n         and generation procedures to ensure audit events are being captured\n         and retained, consistent with OIT policies and procedures and National\n         Institute of Standards and Technology guidelines.\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                         March 16, 2012\nReport No. 500\n                                 Page iv\n                         REDACTED PUBLIC VERSION\n\x0c     (7)   OIT should implement a mechanism to notify OIT\xe2\x80\x99s Server and\n           Storage Branch, or OIT\xe2\x80\x99s Security Branch when\n           stop performing        functions.\n\n     (8)   OIT should implement its plan to develop a computer script that\n           determines whether                     are producing\n\nThe full version of this report includes information that the SEC considers to be\nsensitive and proprietary. To create this public version of the report, OIG\nredacted (blacked out) potentially sensitive, proprietary information from the\nreport.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                        March 16, 2012\nReport No. 500\n                                 Page v\n                         REDACTED PUBLIC VERSION\n\x0cTABLE OF CONTENTS\nExecutive Summary ...................................................................................................... ii\n\nTable of Contents ........................................................................................................ vi\n\nBackground and Objectives .......................................................................................... 1\n      Background ....................................................................................................... 1\n      Objectives .......................................................................................................... 2\n\nFindings and Recommendations .............................................................................. 3\n      Finding 1: Audit Log Events Are Not Being Captured for All\n                Servers .............................................................................................. 3\n                   Recommendation 1....................................................................... 9\n\n         Finding 2: OIT Audit Logging Policies and Procedures for SEC Network\n         Servers Should be Revised and Reviewed According to Its Current Policy ..... 10\n                      Recommendation 2..................................................................... 12\n                      Recommendation 3..................................................................... 12\n\n         Finding 3: Decommissioned Servers Remain Active on the SEC Network ..... 13\n                      Recommendation 4..................................................................... 14\n                      Recommendation 5..................................................................... 14\n\n         Finding 4: Application Database Logs Are Not Generated. ............................. 15\n                      Recommendation 6..................................................................... 15\n\n         Finding 5: OIT Does Not Have a Monitoring and Alerting Mechanism for\n                           Failure. .............................................................................. 16\n                      Recommendation 7..................................................................... 17\n                      Recommendation 8..................................................................... 17\n\nAppendices\n    Appendix I. Abbreviations................................................................................ 18\n    Appendix II. Scope and Methodology .............................................................. 19\n    Appendix III. Criteria ........................................................................................ 22\n    Appendix IV. Screenshots ............................................................................... 23\n    Appendix V. List of Recommendations .......................................................... 28\n    Appendix VI. Management\xe2\x80\x99s Comments ......................................................... 30\n    Appendix VII. OIG Response to Management\xe2\x80\x99s Comments............................. 33\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                                                    March 16, 2012\nReport No. 500\n                                           Page vi\n                                   REDACTED PUBLIC VERSION\n\x0cTables\n     Table 1. Servers Eliminated from Initial Judgmental Sample ............................ 4\n     Table 2. Sampled Servers Not Capturing Logs ................................................. 5\n     Table 3. Servers Eliminated from Additional Judgmental Sample Used in\n             Log Comparison .................................................................................. 6\n     Table 4. Server From Additional Judgmental Sample Not Performing\n             Logging Functions ...... ......................................................................... 7\n\nFigures\n     Figure 1.\n             Log, October 17, 2011 ........................................................................ 23\n     Figure 2.                                                                          , Verified\n               June 18, 2011 ................................................................................. 23\n     Figure 3.                                                                          , Verified\n               June 18, 2011 ................................................................................. 24\n     Figure 4.                                                                        Verified\n               June 18, 2011 ................................................................................. 25\n     Figure 5.\n                             Verified June 18, 2011 ............................................... 26\n     Figure 6.\n               Verified June 18, 2011 .................................................................... 27\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                                          March 16, 2012\nReport No. 500\n                                       Page vii\n                               REDACTED PUBLIC VERSION\n\x0c                   Background and Objectives\nBackground\nOverview. In August 2010, the U.S. Securities and Exchange Commission (SEC\nor Commission) Office of Inspector General (OIG) contracted with C5i Federal,\nInc. (C5i) to assist with the completion and coordination of OIG\xe2\x80\x99s input to the\nCommission\xe2\x80\x99s response to Office of Management and Budget (OMB)\nMemorandum M-10-15, FY 2010 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management. 5 The\nresponse was completed and submitted to OMB in November 2010 and reported\non by the OIG in the report 2010 Annual FISMA Executive Summary Report. 6 As\npart of its work, C5i conducted an assessment and review of the SEC\xe2\x80\x99s\ncontinuous monitoring of information technology operations audit logs, and the\nresults of the assessment were documented by the OIG in the report\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program. 7\n\nDuring its assessment of the SEC\xe2\x80\x99s continuous monitoring program, C5i found\xe2\x80\x94\nbased on its review of a judgmental sample number of\nlogs and                        server logs\xe2\x80\x94that the SEC Office of Information\nTechnology (OIT) was capturing user identification and log-in/log-out times on\n                                                                     However,\nwithout conducting a more in-depth analysis, C5i was unable to verify whether all\nlog settings and user activities were being captured for all servers. To assist the\nOIG in conducting an in-depth assessment of logs, on February 2, 2011, at the\nOIG\xe2\x80\x99s request, OIT collected and provided a hard drive with audit log records\nfrom all OIT\nthat were generated from January 4, 2010 to January 30, 2011.\n\nBecause OIG was unable to verify log settings and user activities in the log\nrecords OIT provided on February 2, 2011, OIG modified its contract with C5i on\nMay 17, 2011, to include a detailed technical assessment on a sample number of\nthe                                                                       that are\nlocated within the SEC\xe2\x80\x99s enterprise network, to determine whether audit log data\nwas being captured consistent with the requirements of the Federal Information\nSecurity Management Act (FISMA), Federal Information Processing Standards\n(FIPS), and the National Institute of Standards and Technology (NIST)\nguidelines. In addition, the modification to the contract included a comparison of\nthe network logs OIG collected on June 24, 2011, covering the period February\n5\n  Office of Management and Budget, Memorandum 10-15, FY 2010 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management,\nhttp://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-15.pdf.\n6\n  OIG, 2010 Annual FISMA Executive Summary Report, Report No. 489 (Mar. 3, 2011).\n7\n  OIG, Assessment of SEC\xe2\x80\x99s Continuous Monitoring Program, Report No. 497 (Aug. 11, 2011).\n8\n  The sample includes SEC\xe2\x80\x99s operations center, headquarters and the regional offices.\nAssessment of SEC\xe2\x80\x99s System and Network Logs                                        March 16, 2012\nReport No. 500\n                                      Page 1\n                              REDACTED PUBLIC VERSION\n\x0c4, 2010 through June 20, 2011, with the system and network logs OIT collected\nand provided to OIG on February 2, 2011, a review of segregated duties among\nOIT staff who access SEC enterprise network logs, access controls to logs,\ncontrols over log management and analysis, log collection, and log storage.\n\nObjectives\nThe overall objective of this review was to independently evaluate and report on\nhow the Commission has implemented information security requirements for\naudit log management, including the generation, review, protection, and retention\nof audit logs. An additional objective was to review system and network logs in\nthe SEC enterprise network, access controls to logs, controls over log\nmanagement and analysis, data log collection, and log storage.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                       March 16, 2012\nReport No. 500\n                                 Page 2\n                         REDACTED PUBLIC VERSION\n\x0c                  Findings and Recommendations\n\nFinding 1: Audit Log Events Are Not Being\nCaptured for All                   Servers\n           Three of 56 servers in the judgmental sample did not log\n           auditable events because the server\xe2\x80\x99s logging capacity had\n           been exceeded. There is no mechanism in place to alert\n           OIT\xe2\x80\x99s Servers and Storage Branch or OIT\xe2\x80\x99s Security Branch\n           when servers have reached their capacity and have stopped\n           performing logging functions.\n\nIn connection with this review, C5i conducted a technical assessment of\n\n          located in the SEC\xe2\x80\x98s enterprise network. In addition, C5i compared\nSEC enterprise network logs, including systems and application logs, collected in\nFebruary 2011 to the logs that were collected in June 2011.\n\nFIPS Publication 200, Minimum Security Requirements for Federal Information\nand Information Systems (FIPS Publication 200), states that organizations must:\n\n           (i) create, protect, and retain information system audit records to\n           the extent needed to enable the monitoring, analysis, investigation,\n           and reporting of unlawful, unauthorized, or inappropriate\n           information system activity; and (ii) ensure that the actions of\n           individual information system users can be uniquely traced to those\n           users so they can be held accountable for their actions. 10\n\nThe OIT Server and Storage Branch provided C5i with a list of\n          servers representing the various types of servers deployed across the\nCommission\xe2\x80\x99s enterprise network. From this list, C5i identified\n      , 11               , 12               13\n                                               and                      ,   for a\n\n9\n  The sample includes SEC\xe2\x80\x99s operations center, headquarters and the regional offices.\n10\n   FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems\n(Mar. 9, 2006) p. 2.\n11\n   For the purpose of this report,\n\n\n     For the purpose of this report,\n\n     For the purpose of this report,\n\n     For the purpose of this report,\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                                          March 16, 2012\nReport No. 500\n                                               Page 3\n                                       REDACTED PUBLIC VERSION\n\x0ctotal of      items. C5i selected a judgmental sample of      servers from these\n\n                                            C5i reviewed the servers to assess\ntheir log generation and retention, server log capacity, and log monitoring and\nalerting.\n\nC5i conducted an on-site assessment on Saturday, June 18, 2011, from 6:10\np.m. Eastern Daylight Time (EDT) to 2:15 a.m. EDT on Sunday, June 19, 2011,\nand on Friday, June 24, 2011, from 10:37 p.m. EDT to 12:47 a.m. EDT on\nSaturday, June 25, 2011. C5i manually logged onto each server using the\nadministrator-level credentials OIT provided for this assessment. This access\nlevel was necessary to properly validate the configuration of event logging and\nlog information being captured.\n\nElimination of Servers from the Initial Judgmental Sample\n\nC5i attempted to manually log onto each of the      servers identified in its sample\nand discovered that some servers were not accessible. In three cases, the\nservers were unresponsive, and in two cases, the server\xe2\x80\x99s maximum allowable\nnumber of connections had been reached. In addition, two of the servers that\nC5i was able to access did not allow exporting of their server log configurations.\nAs a result, C5i reduced the number of servers in its judgmental sample\n         Table 1 provides details on the seven servers that were removed from the\ninitial sample.\n\n Table 1. Servers Eliminated From Initial Judgmental Sample\n     System        IP Address    Location     Type of     Date and           Results\n                                              Server    Time of Last\n                                                        Audit Entry\n                                Atlanta                    6/18/2011     System could\n                                Regional                   11:50 p.m.    not be\n                                Office                                   reached.\n                                New York                   6/18/2011     System could\n                                Regional                   12:23 a.m.    not be\n                                Office                                   reached.\n                                Fort Worth                 6/18/2011     Maximum\n                                Regional                   12:12 a.m.    allowable\n                                Office                                   connections\n                                                                         had been\n                                                                         reached.\n\n\n\n\n15\n  See Figure 5.                                                   , Verified June 18, 2011,\nAppendix IV.\nAssessment of SEC\xe2\x80\x99s System and Network Logs                             March 16, 2012\nReport No. 500\n                                  Page 4\n                          REDACTED PUBLIC VERSION\n\x0c      System          IP Address     Location     Type of       Date and           Results\n                                                  Server      Time of Last\n                                                              Audit Entry\n                                     SEC                        6/18/2011       Maximum\n                                     Operations                 12:33 a.m.      allowable\n                                     Center                                     connections\n                                                                                had been\n                                                                                reached.\n                                     Chicago                    6/19/2011       Server log\n                                     Regional                   1:26 a.m.       configuration\n                                     Office                                     could not be\n                                                                                exported.\n                                     San                        6/18/2011       Server log\n                                     Francisco                  1:43 a.m.       configuration\n                                     Regional                                   could not be\n                                     Office                                     exported.\n                                     Salt Lake                  6/18/2011       System could\n                                     Regional                   1:16 a.m.       not be\n                                     Office                                     reached.\nSource: OIG-generated\n\nOf the    servers that were accessible\n                    C5i found that                               and\n           did not capture logs because the logs were full. In these cases, C5i\nreceived the following warning message: \xe2\x80\x9cThe security log on the system is full.\xe2\x80\x9d\nAs shown in Table 2, C5i found that logs for one of the servers had not been\ncaptured for nine days.\n\nTable 2. Sampled Servers Not Capturing Logs\n     System        IP Address       Location       Server         Date and        No. of Days\n                                                    Type        Time of Last       Without\n                                                                Audit Entry        Logging\n                                                                                   (Prior to\n                                                                                  6/18/2011)\n                                 SEC Operations                 6/15/2011              3\n                                 Center                         4:57:43 p.m.\n\n                                 SEC Alternate                  6/9/2011                9\n                                 Data Center                    5:55:37 p.m.\n\n Source: OIG-generated\n\nC5i found that all of the print servers and domain controllers in its 40-server\nsample were performing audit logging functions and generating audit records for\nthe list of audited events.\n\n\n16\n   See Figure 6.                                                         Verified June 18, 2011,\nAppendix IV.\n17\n   See Figure 4.                                            Verified June 18, 2011, Appendix IV.\n18\n   See Figure 2,                                             Verified June 18, 2011, Appendix IV.\nAssessment of SEC\xe2\x80\x99s System and Network Logs                                    March 16, 2012\nReport No. 500\n                                        Page 5\n                                REDACTED PUBLIC VERSION\n\x0cLog Comparison\n\nC5i compared server logs the OIG collected in February 2011 with the server\nlogs that were captured in June 2011. From the list of    servers provided by\nthe OIT Servers and Storage Branch, C5i selected the following 18 additional\nserver types in the\n\n\n\n\nC5i found that             additional servers were not accessible. In one case,\nC5i found that the system could not be reached; in the other case, C5i was\nunable to access Audit Policy in the server log configuration. Table 3 provides\ndetails on the two eliminated servers.\n\nTable 3. Servers Eliminated From Additional Judgmental Sample Used\nin Log Comparison\n  System      IP Address    Location      Type of     Date and        Results\n                                          Server    Time of Last\n                                                    Audit Entry\n         -                 SEC                      6/18/2011      Not able to\n                           Alternate                10:45 p.m.     access Audit\n                           Data Center                             Policy\n                           SEC                      6/18/2011      System cannot\n                           Alternate                11:50 p.m.     be reached\n                           Data Center\nSource: OIG-generated\n\nC5i also found that one of the accessible servers was not performing audit\nlogging functions for at least one day, as shown in Table 4, because its log were\nfull.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                         March 16, 2012\nReport No. 500\n                                   Page 6\n                           REDACTED PUBLIC VERSION\n\x0c     Table 4. Server From Additional Judgmental Sample Not Performing\n     Logging Functions\n      System       IP Address        Location       Type of Server           Date and          Number of\n                                                                           Time of Last           Days\n                                                                           Audit Entry          without\n                                                                                                Logging\n                                                                                                (Prior to\n                                                                                               6/16/2011)\n                                        SEC                                  6/17/2011          At least 1\n                                      Alternate                             5:38:12 a.m.           day\n                                        Data\n                                       Center\n     Source: OIG-generated\n\nIn summary, C5i found that          accessible servers in its judgmental sample\n(consisting of                        servers and     other servers) had been\noperating without audit log functions for as long as 9 days. 20\n\nLog Generation and Retention\n\nC5i found that for most of the SEC servers in its sample, OIT Servers and\nStorage Branch generates and retains audit logs. C5i found that OIT Servers\nand Storage Branch has implemented two automated computer scripts to\nmanage and archive log data. 21 The first script, which runs every day at\n     ; copies the daily audit logs on each server to a temporary storage folder. A\nsecond automated computer script, which runs every Monday at\nmoves the daily audit logs from the temporary storage folder to a centralized log\nserver for retention and archival purposes. OIT Security Branch extracts the logs\nfrom the storage folders that are managed by OIT Servers and Storage Branch\nand analyzes the data using the                  The three servers that C5i\npreviously identified as having exceeded their log capacity and were not\ngenerating logs, were subject to this log extraction and analysis process.\n\nC5i contacted OIT Security Branch to confirm that the three servers were not\ngenerating security logs on Saturday, June 18, 2011, from 10:00 p.m. to 11:59\np.m. EDT, when C5i performed its onsite assessment. OIT Security confirmed\nthat logs did not exist for that date and time and provided C5i with a screen shot\nfrom           showing the result. 22\n\n\n\n19\n   See Figure 3.\n20\n   The audit log function produces audit records that contain sufficient information to establish the type of\nlogged event that has occurred, when (date and time) the event occurred, where (IP Address) the event\noccurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user\nor subject associated with the event.\n21\n   A script is a program or sequence of instructions that is carried out by a computer without user interaction.\n22\n   See Figure 1,                                                                         October 17, 2011,\nAppendix IV.\nAssessment of SEC\xe2\x80\x99s System and Network Logs                                                 March 16, 2012\nReport No. 500\n                                         Page 7\n                                 REDACTED PUBLIC VERSION\n\x0cServer Log Capacity\n\nNIST SP 800-53 recommends that an organization allocate audit record storage\ncapacity and configure auditing \xe2\x80\x9cto reduce the likelihood of such capacity being\nexceeded.\xe2\x80\x9d23\n\nAs noted above, C5i found three servers for which logs were not being generated\nbecause log capacity had been reached. C5i manually compared the servers log\nconfiguration settings with the\nconfiguration. 24 Using the list of                            configuration\nprovided by OIT Servers and Storage Branch, C5i confirmed that at the server\nlevel, the configuration settings were implemented according to the\nsettings as defined by OIT.\n\nC5i determined that a maximum log capacity of                      had been\nconfigured and implemented across the Commission\xe2\x80\x99s network by a\n                                 C5i also found that a log setting, \xe2\x80\x9cDo Not\noverwrite events (clear log manually)\xe2\x80\x9d had been configured on servers to prevent\noverwriting of previously generated logs. Once a log reached capacity, any\nfuture logging will not be captured unless and until the OIT Servers and Storage\nBranch performs a manual check and clears or moves the last-created logs to\nfree up capacity for additional logging.\n\nMonitoring and Alerting\n\nIn addition to the requirement that organizations create, protect, and retain\ninformation system audit records, 25 NIST SP 800-53 recommends that\ninformation systems alert designated organization officials in the event of an\naudit processing failure, such as audit storage capacity being reached or\nexceeded. 26\n\nC5i interviewed staff from OIT\xe2\x80\x99s Servers and Storage Branch and OIT\xe2\x80\x99s Security\nBranch to determine whether they were aware of the impaired logging issues and\nwhether an alerting mechanism was in place to notify them if a server stops\nperforming logging functions. OIT Servers and Storage Branch informed C5i that\nit was not actively monitoring the logs and did not have an alerting mechanism in\nplace to receive notifications when a server stops performing required logging\nfunctions. C5i also found that although the OIT Security Branch monitors logs\nusing           , there is no mechanism in place to notify it when a server has\nstopped performing required logging functions. Because neither the OIT Servers\nand Storage Branch, nor the OIT Security Branch has an alerting mechanism in\n\n23\n     NIST SP 800-53, Rev. 3, p. F-25.\n24\n                                        controls what users can and cannot do on a computer system.\n25\n   FIPS Publication 200, p. 2.\n26\n   NIST SP 800-53, Rev. 3, p. F-26.\nAssessment of SEC\xe2\x80\x99s System and Network Logs                                         March 16, 2012\nReport No. 500\n                                          Page 8\n                                  REDACTED PUBLIC VERSION\n\x0cplace, logging failures could go unnoticed indefinitely until a manual check is\nperformed. C5i discovered that OIT staff first identified this issue in June 2009\nand notified both OIT\xe2\x80\x99s Service Desk and Customer Care at that time as well as\non several occasions thereafter, but to date the problem has not been resolved.\n\nSince the OIT Servers and Storage Branch does not actively monitor logs and\ndoes not have an automated alerting mechanism in place to receive notifications\nwhen a server stops performing logging functions, OIT may be unaware of audit\nprocessing failures for extended periods of time. As a result, OIT\xe2\x80\x99s ability to\nanalyze and investigate inappropriate information system activity and ensure that\nthe actions of individual information system users can be traced to those users\ncould be hindered.\n\nThe failure to ensure that servers are performing logging functions is inconsistent\nwith FIPS Publication 200 and prevents OIT from actively monitoring, analyzing,\ninvestigating, and reporting unlawful, unauthorized, or inappropriate information\nsystem activity and from capturing sufficient information to trace back and hold\nusers accountable for their actions on the servers. 27\n\nOverall, OIT lacks thorough processes and procedures for ensuring consistent,\nuninterrupted server logging functions. In particular, OIT lacks adequate capacity\nplanning for server logs and an alerting mechanism for notifying appropriate\nofficials when audit logging functions are suspended because of inadequate\ncapacity or other reasons.\n\n           Recommendation 1:\n\n           The Office of Information Technology should identify capacity\n           requirements for all servers, ensure sufficient capacity is available for the\n           storage of audit records, configure auditing to reduce the likelihood that\n           capacity will be exceeded, and implement an alerting mechanism to alert\n           and notify appropriate Commission office/divisions when log storage\n           capacity is reached.\n\n           Management Comments. OIT concurred with this recommendation.\n           See Appendix VI for management\xe2\x80\x99s full comments.\n\n           OIG Analysis. We are pleased that OIT concurred with this\n           recommendation.\n\n\n\n\n27\n     FIPS Publication 200, p. 2.\nAssessment of SEC\xe2\x80\x99s System and Network Logs                               March 16, 2012\nReport No. 500\n                                           Page 9\n                                   REDACTED PUBLIC VERSION\n\x0cFinding 2: OIT Audit Logging Policies and\nProcedures for SEC Network Servers Should be\nRevised and Reviewed According to Its Current\nPolicy\n           OIT policies and procedures for audit log capture and\n           management are outdated and do not clearly define roles\n           and responsibilities. As a result, OIT\xe2\x80\x99s effectiveness at\n           maintaining network security and the critical data that is\n           processed and stored may be hindered.\n\nOIT provided C5i with the following five policies and procedures pertaining to\naudit log capture and management for the SEC\xe2\x80\x99s enterprise network servers:\n\n       \xe2\x80\xa2   Operating Directive (OD)\n\n       \xe2\x80\xa2   SEC Regulation (SECR)\n\n       \xe2\x80\xa2   Implementing Instruction\n\n       \xe2\x80\xa2   Implementing Instruction\n\n       \xe2\x80\xa2   Operating Procedure (OP)\n\n\nNIST SP 800-53, Recommended Security Controls for Federal Information\nSystems and Organizations, recommends that organizations develop,\ndisseminate, and review/update, with a frequency defined by the organization,\nthe following:\n\n           a. A formal, documented security planning policy that addresses\n              purpose, scope, roles, responsibilities, management\n              commitment, coordination among organizational entities, and\n              compliance; and\n\n           b. Formal, documented procedures to facilitate the implementation\n              of the security planning policy and associated security planning\n              controls. 28\n\nC5i reviewed OIT\xe2\x80\x99s documented policies and procedures pertaining to audit log\ncapture and management to determine whether the polices\n\n28\n     NIST SP 800-53, Rev. 3, p. F-3.\nAssessment of SEC\xe2\x80\x99s System and Network Logs                            March 16, 2012\nReport No. 500\n                                          Page 10\n                                  REDACTED PUBLIC VERSION\n\x0c     \xe2\x80\xa2    had been reviewed in accordance with the frequency specified,\n     \xe2\x80\xa2    clearly defined roles and responsibilities,\n     \xe2\x80\xa2    contained provisions for segregation of duties among OIT staff\n          accessing the SEC enterprise network,\n     \xe2\x80\xa2    included controls for accessing logs,\n     \xe2\x80\xa2    provided for management and analysis of logs,\n     \xe2\x80\xa2    called for collection of adequate data, and\n     \xe2\x80\xa2    provided for sufficient log storage capability.\n\nC5i found that only                 appeared to be current, while the other four\npolicies, all of which cited an \xe2\x80\x9canticipated review date\xe2\x80\x9d of one year from their\napproval date, have not been reviewed or updated based on the effective\ndate(s).\n\nC5i\xe2\x80\x99s review of OIT\xe2\x80\x99s policies and procedures related to application database log\nmanagement confirmed that OIT does not have documented policies and\nprocedures for application database log management. In addition, C5i found that\nOIT has not defined the roles and responsibilities of individuals who are expected\nto be involved in log management, as recommended by NIST SP 800-92, which\nstates that \xe2\x80\x9c[a]s part of the log management planning process, an organization\nshould define the roles and responsibilities of individuals and teams who are\nexpected to be involved in log management.\xe2\x80\x9d29\n\nFurther, C5i found that OIT does not have policies and procedures requiring the\nreview of server logs to ensure that log capacity has not been exceeded or for\nalerting and notify appropriate officials when audit logging functions are\nsuspended due to log storage capacity being reached. 30\n\nConsistent with the OIG\xe2\x80\x99s 2011 Annual FISMA Executive Summary Report, OIT\nhas recently dedicated resources to review and update its policies and\nprocedures to ensure they are consistent with OIT\xe2\x80\x99s current business practices.\nIn addition, OIT informed C5i of its deployment of a new automated tool, Qualys,\nwhich provides on-demand vulnerability management and compliance solutions.\nAmong other things, Qualys automates security audits to help ensure that the\norganization is in compliance with applicable regulations and internal security\npolicies.\n\n\n29\n  NIST SP 800-92, p. 4-10.\n30\n  C5i\xe2\x80\x99s current finding that OIT policies are outdated and nonexistent is similar to Finding 1 in the OIG report\n2011 Annual FISMA Executive Summary, issued February 2, 2012. The report found that the policies and\nprocedures specific to the eight Federal Information Security Management Act control areas reviewed were\noutdated and nonexistent. However, this report did not include a review of OIT\xe2\x80\x99s policies and procedures\npertaining to the capture of audit logs, log management, or management of the SEC\xe2\x80\x99s enterprise network\nservers. Additionally, in response to recommendation 6 in OIG report Assessment of SEC\xe2\x80\x99s Continuous\nMonitoring Program, issued August 11, 2011, OIT agreed that its policies and procedures need to be\nupdated to reflect its desired log management practices and separation of duties needs to be documented.\nAssessment of SEC\xe2\x80\x99s System and Network Logs                                                March 16, 2012\nReport No. 500\n                                         Page 11\n                                 REDACTED PUBLIC VERSION\n\x0cBecause OIT did not review and update policies and procedures pertaining to\naudit log capture and management at prescribed intervals and did not provide\nclearly defined roles and responsibilities for audit log functions, OIT\xe2\x80\x99s ability to\neffectively maintain network security and protect critical data may be limited.\n\n       Recommendation 2:\n\n       When updating its policies and procedures, the Office of Information\n       Technology (OIT) should include log management language that\n\n           \xe2\x80\xa2   identifies the roles and responsibilities of staff who are involved in\n               log management,\n           \xe2\x80\xa2   requires server logs to be periodically reviewed to check whether\n               log capacity has been exceeded, and\n           \xe2\x80\xa2   requires appropriate OIT officials be notified when audit logging\n               functions are suspended when log storage capacity has reached its\n               limit.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VI for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 3:\n\n       The Office of Information Technology should review and update all logging\n       policies and procedures consistent with the policy\xe2\x80\x99s review interval\n       requirements and retain evidence of its reviews and any updates to the\n       policy.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VI for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                             March 16, 2012\nReport No. 500\n                                  Page 12\n                          REDACTED PUBLIC VERSION\n\x0cFinding 3: Decommissioned Servers Remain\nActive on the SEC Network\n        Decommissioned servers remained accessible on the SEC\n        network and, of those examined, one was not capturing logs.\n        In addition, OIT\xe2\x80\x99s Server Decommission Guidelines should\n        include a checklist to ensure that all required\n        decommissioning activities are implemented.\n\nFrom the                          servers in our sample, we identified\ndecommissioned servers. All       of the decommissioned servers were file\nservers. C5i then examined a judgmental sample of               decommissioned\nfile servers to determine whether OIT had executed the required actions related\nto risk management for systems removed from operation, as specified in NIST\nSP 800-37, Guide for Applying the Risk Management Framework to Federal\nInformation Systems, including updating organizational tracking and\nmanagement systems to indicate the specific information system components\nbeing removed from service. 31\n\nC5i found that the four decommissioned servers in our sample were still actively\nconnected to SEC\xe2\x80\x99s enterprise network and were accessible. Further, C5i found\nthat one of the servers had stopped performing audit logging functions.\nTherefore, any activity on that server was not being recorded, which is not\nconsistent to FIPS Publication 200, which states that organizations must \xe2\x80\x9censure\nthat the actions of individual information system users can be uniquely traced to\nthose users so they can be held accountable for their actions.\xe2\x80\x9d 32 Maintaining\nactive logging-disabled servers on the SEC enterprise network could lead to\nundetected security breaches and data compromise because OIT cannot actively\nmonitor, analyze, investigate, or report unlawful, unauthorized, or inappropriate\nactivity on such servers.\n\nC5i reviewed OIT Servers and Storage Branch\xe2\x80\x99s Server Decommission\nGuidelines. The guideline pertains to the procedure for decommissioning\nservers, to determine whether OIT had implemented an information system\ndecommissioning strategy that \xe2\x80\x9cexecutes required actions when a system is\nremoved from service,\xe2\x80\x9d as called for in NIST SP 800-37, including ensuring that\n\xe2\x80\x9call security controls addressing information system removal and\ndecommissioning (e.g., media sanitization, configuration management and\ncontrol) are implemented.\xe2\x80\x9d 33 Our review found that OIT\xe2\x80\x99s Server Decommission\nGuidelines do not include a documented decommissioning strategy, such as a\n\n31\n   NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems,\nRev. 1 (February 2010), p. 41.\n32\n   FIPS 200, p. 2.\n33\n   NIST SP 800-37, Rev. 1, p. 41.\nAssessment of SEC\xe2\x80\x99s System and Network Logs                                        March 16, 2012\nReport No. 500\n                                      Page 13\n                              REDACTED PUBLIC VERSION\n\x0cchecklist that clearly documents each action that should be performed when a\nserver is removed from service. Without a fully documented decommissioning\nstrategy that includes a checklist, OIT cannot readily ensure that all security\ncontrols for decommissioning have been consistently implemented.\n\n       Recommendation 4:\n\n       The Office of Information Technology should ensure that all servers\n       connected to the Commission\xe2\x80\x99s enterprise network are configured to have\n       logging enabled.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 5:\n\n       The Office of Information Technology (OIT) should update its Server\n       Decommission Guidelines and include language to fully document each\n       action that should be performed when decommissioning a server. OIT\n       should also develop a server decommissioning checklist to be included in\n       the Server Decommission Guidelines.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VI for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                        March 16, 2012\nReport No. 500\n                                 Page 14\n                         REDACTED PUBLIC VERSION\n\x0cFinding 4: Application Database Logs Are Not\nGenerated\n           OIT\xe2\x80\x99s application database logs are not being generated for\n           auditable events.\n\nAccording to NIST SP 800-53, information systems should provide audit record\ngeneration capability for the list of auditable events, allow designated personnel\nto select which auditable events are to be audited by specific components of the\nsystem, and generate audit records for the list of audited events. 34\n\nOIT staff informed C5i that the events captured in application database logs are\ninconsistent because native database logging\xe2\x80\x94the audit trail functionality built\ninto a database management system\xe2\x80\x94has not been turned on for most database\napplications. As a result, not all auditable events are captured. In addition, OIT\ndid not identify and select auditable events to be audited for the application\ndatabase servers. Most database administrators and system owners developed\ntheir own audit logging functionality and disabled native database logging\nbecause it was resource-intensive and impeded the applications\xe2\x80\x99 ability to\nperform optimally. As a result, OIT is unable to generate audit records for all\nauditable events. Without native database application logging or secondary\nsystems that provide the same level of detail, OIT is unable to retain audit\nrecords to provide support for investigations of security incidents and to meet\nregulatory and organizational information retention requirements. 35\n\nOIT is aware of the issues surrounding application database logging and has\ndesignated a staff member to specifically focus on addressing these issues.\n\n           Recommendation 6:\n\n           The Office of Information Technology (OIT) should conduct a review of\n           application database log management and generation procedures to\n           ensure auditable events are being captured and retained, consistent with\n           OIT policies and procedures and National Institute of Standards and\n           Technology guidelines.\n\n           Management Comments. OIT concurred with this recommendation.\n           See Appendix VI for management\xe2\x80\x99s full comments.\n\n           OIG Analysis. We are pleased that OIT concurred with this\n           recommendation.\n\n34\n     NIST SP 800-53, Rev. 3, p. F-30.\n35\n     NIST SP 800-53, Rev. 3, p. F-30.\nAssessment of SEC\xe2\x80\x99s System and Network Logs                           March 16, 2012\nReport No. 500\n                                          Page 15\n                                  REDACTED PUBLIC VERSION\n\x0cFinding 5: OIT Does Not Have a Monitoring and\nAlerting Mechanism for                   Failure\n           There is no monitoring and alerting mechanism in place to\n           notify OIT\xe2\x80\x99s Servers and Storage Branch or the OIT Security\n           Branch if a                       stops performing\n           functions.\n\n        is a standard for logging computer data in a\n        files contain event information, including panic conditions, data\ncorruption, hardware errors, warnings, and tracking information.          files can\nbe used for computer system management, security events, auditing events,\nsystem information analysis, and debugging messages. According to NIST SP\n800-53, a control should be in place that \xe2\x80\x9c[a]lerts designated organization officials\nin the event of an audit processing failure.\xe2\x80\x9d 37\n\nC5i conducted an assessment to review data log collection and controls over log\nmanagement and analysis and to ensure that log storage is being performed\nconsistently within OIT\xe2\x80\x99s                         . C5i\xe2\x80\x99s interviews with staff in\nOIT\xe2\x80\x99s Servers and Storage Branch and the OIT Security Branch, found that\nneither Branch has an alerting mechanism in place to notify it if a\nserver stops performing           functions. The OIT Servers and Storage Branch\nand the OIT Security Branch also informed C5i that OIT is in the process of\nreplacing an information system tool called                            As part of its\ndeployment of          , the OIT Security Branch plans to develop a computer\nscript that would assess each server to determine if the server is producing\n         and if the configuration on each server is correct.\n\nIf a server stops performing logging functions the activity on that server will not\nbe recorded, compromising the organization\xe2\x80\x99s ability to manage the computer\nsystem, detect and address security events, establish an audit trail of events,\nanalyze or investigate events, or protect against individuals falsely denying\nhaving performed particular actions.\n\n\n\n\n36\n     A Panic condition is an emergency level of a problem in     \xe2\x80\x93 e.g., warning, error, emergency.\n37\n     NIST SP 800-53, Rev. 3, AU-5, Response to Audit Processing Failures, p. F-26.\nAssessment of SEC\xe2\x80\x99s System and Network Logs                                             March 16, 2012\nReport No. 500\n                                          Page 16\n                                  REDACTED PUBLIC VERSION\n\x0c       Recommendation 7:\n\n       The Office of Information Technology (OIT) should implement a\n       mechanism to notify OIT\xe2\x80\x99s Servers and Storage Branch, or OIT\xe2\x80\x99s Security\n       Branch when                          performing        functions.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VI for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 8:\n\n       The Office of Information Technology should implement its plan to develop\n       a computer script that determines whether                    are\n       producing\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VI for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                      March 16, 2012\nReport No. 500\n                                 Page 17\n                         REDACTED PUBLIC VERSION\n\x0c                                                                   Appendix I\n\n\n                               Abbreviations\n\n          EDT            Eastern Daylight Time\n          FIPS           Federal Information Processing Standard\n          FISMA          Federal Information Security Management Act\n\n          NIST           National Institute of Standards and\n                         Technology\n          OD             Operating Directive\n          OIG            Office of Inspector General\n          OIT            Office of Information Technology\n          OMB            Office of Management and Budget\n          OP             Operating Procedure\n          SEC or\n          Commission U.S. Securities and Exchange Commission\n          SECR       SEC Regulation\n          SP         Special Publications\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                     March 16, 2012\nReport No. 500\n                                 Page 18\n                         REDACTED PUBLIC VERSION\n\x0c                                                                                          Appendix II\n\n\n                           Scope and Methodology\n\nThe full version of this report includes information that the SEC considers to be\nsensitive and proprietary. To create this public version of the report, OIG\nredacted (blacked out) potentially sensitive, proprietary information from the\nreport.\n\nScope. The assessment covered the period from January 2010 to August 2011.\nThe review consisted of detailed technical assessment samplings of\n                                                           located within the\nSEC\xe2\x80\x99s enterprise network located at the SEC\xe2\x80\x99s operations center, headquarters\nand regional offices. Further, the assessment included a comparison and\nanalysis of audit log records, obtained on an external hard drive, from all OIT\n                                                                       that were\ngenerated between January 4, 2010, and October 23, 2010, with audit log\nrecords generated by the same servers                            between January\n29, 2011, and June 23, 2011, to identify changes in controls and logging\nrequirements. The log analysis included determining whether the servers were\nperforming audit logging functions; determining whether critical auditable security\nevent types were being logged, including: privilege escalation attempts,\npassword guessing attempts, user session activity, changes to user permissions\nand user accounts, log-in/out, modifications to information systems or application\nsoftware, and system startup/shutdown; and comparing the actual logs with the\n                                            audit logging settings for consistency.\n\nMethodology. To meet the overall objectives to assess the various types of\nservers deployed at the Commission and located within the enterprise network,\nC5i conducted interviews with key personnel, made independent observations,\nand examined documentation provided by SEC officials. Key personnel included\nsystem owners, business line managers, OIT representatives, and OIG\npersonnel. These interviews were further held to determine issues that were\nrelevant to completing this assessment. C5i reviewed pertinent data log records\nand supporting documentation (policies, procedures, roles and responsibilities) to\naddress the review objectives. C5i\xe2\x80\x99s review of policies and procedures also\nincluded discussions with SEC officials and covered the areas identified in the\nscope.\n\nIn addition, C5i obtained a detailed list of                    servers\nrepresenting the various types of servers deployed at the Commission and\nlocated within the enterprise network. The assessment consisted of reviewing a\njudgmental sample of\n\n38\n The data was collected by OIT and saved on to the hard drive. OIT certified that the data was not\nmodified or manipulated.\nAssessment of SEC\xe2\x80\x99s System and Network Logs                                              March 16, 2012\nReport No. 500\n                                        Page 19\n                                REDACTED PUBLIC VERSION\n\x0c                                                                        Appendix II\n\n\n            located within the network, including regional offices. Further, the\nassessment reviewed logs on all servers                          for segregation of\nduties among OIT staff accessing SEC enterprise network logs, access controls\nto those logs, controls over log management and analysis, log data collection,\nand log storage. Also, the assessment included a comparison and analysis of\naudit log records to identify changes in controls and logging requirements and to\ndetermine whether the servers were performing audit logging functions;\ndetermine whether critical auditable security event types were being logged,\nincluding privilege escalation attempts, password guessing attempts, user\nsession activity, changes to user permissions and user accounts, log-in/out,\nmodifications to information systems or application software, and system\nstartup/shutdown; and comparing the actual logs with           audit logging settings\nfor consistency.\n\nC5i used the guidance from NIST 800-53; other NIST, OMB, and FISMA\nguidance; and industry best practices in its evaluation and to support its\nconclusions and recommendations.\n\nManagement Controls. Consistent with the objectives of the review, C5i did not\nassess OIT\xe2\x80\x99s management control structure or its internal controls. C5i\nevaluated existing controls at the Commission specific to the assessment as\nnoted in the discussion of scope. C5i relied on information requested and\nsupplied by OIT and interviews with OIT personnel to understand OIT\xe2\x80\x99s\nmanagement controls pertaining to policies, roles and responsibilities, and\nprocedures.\n\nUser of Computer-Processed Data. C5i reviewed the following computer-\nprocessed data (i.e., system logs and network logs) that OIT staff members\nprovided to us:\n\n   \xe2\x80\xa2   system and network Logs,\n   \xe2\x80\xa2   event log automation script procedure,\n   \xe2\x80\xa2   screenshots of             security log settings,\n   \xe2\x80\xa2   log migration scripts, and\n   \xe2\x80\xa2   list of                          settings.\n\nC5i believes that the information that was retrieved from the SEC\xe2\x80\x99s systems, as\nwell as the requested network logs and documents provided to us, was sufficient,\nreliable, and adequate to use in meeting our stated objectives.\n\nC5i assessed the reliability of OIT\xe2\x80\x99s computer configuration settings as it\npertained to our review of log generation, log capture, log management and\nstorage.\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                           March 16, 2012\nReport No. 500\n                                  Page 20\n                          REDACTED PUBLIC VERSION\n\x0c                                                                      Appendix II\n\n\nPrior OIG Coverage.\n\n   \xe2\x80\xa2   OIG Report No. 501, 2011 Annual FISMA Executive Summary\n       Report, February 2, 2012, contained 13 recommendations to\n       strengthen the SEC\xe2\x80\x99s controls over information security. All of the\n       report\xe2\x80\x99s recommendations are open.\n   \xe2\x80\xa2   OIG Report No. 489, 2010 Annual FISMA Executive Summary\n       Report, March 3, 2011, contained eight recommendations to\n       strengthen the Commission\xe2\x80\x99s security posture. All of the report\xe2\x80\x99s\n       recommendations are closed, with the exception of\n       recommendation 5, which pertains to the logical access integration\n       of the HSPD-12 card.\n\n   \xe2\x80\xa2   OIG Report No. 476, Evaluation of the SEC Encryption Program,\n       March 26, 2010, contained three recommendations to strengthen IT\n       management controls for safeguarding the Commission\xe2\x80\x99s\n       information. All of the report\xe2\x80\x99s recommendations are closed.\n\n   \xe2\x80\xa2   OIG Report No. 497, Assessment of SEC\xe2\x80\x99s Continuous Monitoring\n       Program, August 11, 2011, contained 13 recommendations to\n       strengthen the Commission\xe2\x80\x99s security posture. All of the report\xe2\x80\x99s\n       recommendations remain open.\n\nJudgmental Sampling. C5i obtained from OIT a detailed list of\n                   representing the various types of servers deployed at the\nCommission and located within the enterprise network. From the list of       , C5i\nidentified a judgmental sample of      servers consisting of\n                                                     located within the SEC\xe2\x80\x99s\nenterprise network, including regional offices. C5i further targeted a population\nof    servers, of which    were accessible      percent of the total sampled\nservers). The servers were reviewed onsite at the SEC Operations Center in\n                    , on June 18, 2011 and June 24, 2011.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                         March 16, 2012\nReport No. 500\n                                 Page 21\n                         REDACTED PUBLIC VERSION\n\x0c                                                                         Appendix III\n\n\n                                        Criteria\n\n   Federal Information Security Management Act of 2002, Title III, Pub. L. No.\n   107-347. Requires federal agencies to develop, document, and implement an\n   agency wide program providing security for the information and information\n   systems that support the operations and assets of the agency, including those\n   provided or managed by another agency, contractor, or other source.\n\n   NIST SP 800-37, Guide for Applying the Risk Management Framework to\n   Federal Information Systems, Revision 1, February 2010. Provides guidance\n   for applying the Risk Management Framework to federal information systems.\n\n   NIST SP 800-53, Recommended Security Controls for Federal Information\n   Systems and Organizations, May 1, 2010. Provides guidelines for selecting and\n   specifying security controls for information systems supporting the executive\n   agencies of the federal government.\n\n   NIST SP 800-92, Guide to Computer Security Log Management, September\n   2006. Provides guidance on the generation, review, and retention of computer\n   logs and log data.\n\n   Federal Information Processing Standard Publication 200 (FIPS 200),\n   Minimum Security Requirements for Federal Information and Information\n   Systems, March 2006. Outlines the minimum security requirements for the\n   security of federal information systems.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                     March 16, 2012\nReport No. 500\n                                     Page 22\n                             REDACTED PUBLIC VERSION\n\x0c                                                    Appendix IV\n\n\n                                Screenshots\n\nFigure 1.\n\n\n\n\nSource: OIG-generated\n\nFigure 2.\n\n\n\n\nSource: OIG-generated\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs        March 16, 2012\nReport No. 500\n                                 Page 23\n                         REDACTED PUBLIC VERSION\n\x0c                                                    Appendix IV\n\n\nFigure 3.                                           Verified\nJune 18, 2011\n\n\n\n\nSource: OIG-generated\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs        March 16, 2012\nReport No. 500\n                                 Page 24\n                         REDACTED PUBLIC VERSION\n\x0c                                                     Appendix IV\n\n\nFigure 4.                                          Verified June\n18, 2011\n\n\n\n\nSource: OIG-generated\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs        March 16, 2012\nReport No. 500\n                                 Page 25\n                         REDACTED PUBLIC VERSION\n\x0c                                                    Appendix IV\n\n\nFigure 5.\nVerified June 18, 2011\n\n\n\n\nSource: OIG-generated\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs        March 16, 2012\nReport No. 500\n                                 Page 26\n                         REDACTED PUBLIC VERSION\n\x0c                                                    Appendix IV\n\n\nFigure 6.                                                      ,\nVerified June 18, 2011\n\n\n\n\nSource: OIG-generated\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs        March 16, 2012\nReport No. 500\n                                 Page 27\n                         REDACTED PUBLIC VERSION\n\x0c                                                                       Appendix V\n\n\n                     List of Recommendations\n\nRecommendation 1:\n\nThe Office of Information Technology should identify capacity requirements for all\nservers, ensure sufficient capacity is available for the storage of audit records,\nconfigure auditing to reduce the likelihood that capacity will be exceeded, and\nimplement an alerting mechanism to alert and notify appropriate Commission\noffice/divisions when log storage capacity is reached.\n\nRecommendation 2:\n\nWhen updating its policies and procedures, the Office of Information Technology\n(OIT) should include log management language that\n\n   \xe2\x80\xa2   identifies the roles and responsibilities of staff who are involved in\n       log management,\n   \xe2\x80\xa2   requires server logs to be periodically reviewed to check whether\n       log capacity has been exceeded, and\n   \xe2\x80\xa2   requires appropriate OIT officials be notified when audit logging\n       functions are suspended when log storage capacity has reached its\n       limit.\n\nRecommendation 3:\n\nThe Office of Information Technology should review and update all logging\npolicies and procedures consistent with the policy\xe2\x80\x99s review interval requirements\nand retain evidence of its reviews and any updates to the policy.\n\nRecommendation 4:\n\nThe Office of Information Technology should ensure that all servers connected to\nthe Commission\xe2\x80\x99s enterprise network are configured to have logging enabled.\n\nRecommendation 5:\n\nThe Office of Information Technology (OIT) should update its Server\nDecommission Guidelines and include language to fully document each action\nthat should be performed when decommissioning a server. OIT should also\ndevelop a server decommissioning checklist to be included in the Server\nDecommission Guidelines.\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                          March 16, 2012\nReport No. 500\n                                 Page 28\n                         REDACTED PUBLIC VERSION\n\x0c                                                                   Appendix V\n\n\nRecommendation 6:\n\nThe Office of Information Technology (OIT) should conduct a review of\napplication database log management and generation procedures to ensure\nauditable events are being captured and retained, consistent with OIT policies\nand procedures and National Institute of Standards and Technology guidelines.\n\nRecommendation 7:\n\nThe Office of Information Technology (OIT) should implement a mechanism to\nnotify OIT\xe2\x80\x99s Servers and Storage Branch, or OIT\xe2\x80\x99s Security Branch when\n                    stop performing       functions.\n\nRecommendation 8:\n\nThe Office of Information Technology should implement its plan to develop a\ncomputer script that determines whether                    are producing\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                      March 16, 2012\nReport No. 500\n                                 Page 29\n                         REDACTED PUBLIC VERSION\n\x0c                                                                                Appendix VI\n\n\n                        Management\xe2\x80\x99s Comments\n\n\n\n                                      MEMORANDUM\n\n\n\n\n                                                                                                  ~\nTO:            Jacqueline Wilson, Assistant Inspector General for Audits, Office of\n               Inspector General (DIG)\n\n\nFROM:          Thomas A. Bayer, Director, Office of Information Technology      (01;1\\ lJv6VVJ-\n                                                                                          ..\n\n\n\n\nRE:            Assessment of SEC\'s System and Network Logs, Report No. 500\n\n\nDATE:          March 15, 2012\n\n\nThis memorandum is in response to the Office of Inspector General\'s (DIG) Draft\nReport No, 500 entitled, Assessment of SEC\'s System and Network Logs.            Thank you\nfor the opportunity to review and respond to this report.\n\n\nDIG Recommendation 1:\n\n\nOIT should identify capacity requirements for all servers, ensure sufficient capacity is\navailable for the storage of audit records, configure auditing to reduce the likelihood that\ncapacity will be exceeded, and implement an alerting mechanism to alert and notify\nappropriate office/divisions when log storage capacity is reached.\n\n\nCIT concurs with this recommendation. OIT wilf use existing system monitoring tools to\nexplicitly alert on log size approaching and/or reaching capacity.\n\nDIG Recommendation 2:\n\n\nWhen updating its policies and procedures, the Office of Information Technology (OIT)\nshould include log management language that\n        identifies the roles and responsibilities of staff who are involved in log\n        management,\n        requires server logs to be periodically reviewed to check whether log capacity\n        has been exceeded, and\n        requires appropriate OIT officials be notified when audit logging functions are\n      suspended when log storage capacity has reached its limit.\n\n\nOIT concurs with this recommendation. OIT will revise their log management policy to\ntake into account the recommended language. OIT is currently reviewing and updating\ntheir logging policies and procedures as part of an IT policy review project.\n\n\nOIG Recommendation 3:\n\n\nThe Office of Information Technology should review and update ali logging policies and\nprocedures consistent with the policy\'s review interval requirements and retain evidence\nof its reviews and any updates to the policy.\n\n\n\n\n Assessment of SEC\xe2\x80\x99s System and Network Logs                                   March 16, 2012\n Report No. 500\n                                      Page 30\n                              REDACTED PUBLIC VERSION\n\x0c                                                                               Appendix VI\n\n\n\n\nOIT concur.s with this recommendation. OIT is currently reviewing and updating their\nlogging policies and PT.0cedures as part of an IT policy review project.\n\nO.G Recommendation 4:\n\n\nThe Office of Information Technology should ensure that all servers connected to the\nCommission\'s enterprise network are configured to have logging enabled.\n\n\nOIT concurs with this recommendation. OIT is currently reviewing and updating their\nlogging policies and procedures as part of an IT policy review project. Included in this\nwill be language to define what types of hosts most or should perform logging, as per\nN/ST Special Publication (SP) 800-92, section 4.2.\n\nOIG Recommendation 5:\n\n\nThe Office of Information Technology (OIT) should update its Server Decommission\nGuidelines and include language to fully document each action that should be\nperformed when decommissioning a server. OIT should also develop a server\ndecommissioning checklist to be included In the Server Decommission Guidelines.\n\n\nOIT concurs with this recommendation. OIT is currently reviewing and updating their\npolicies, procedures and guidelines as part of an IT policy review project.\n\n\nOIG Recommendation 6:\n\n\nThe Office of Information Technology (OIT) should conduct a review of application\ndatabase log management and generation procedures to ensure auditable events are\nbeing captured and retained, consistent with OIT policies and procedures and National\nInstitute of Standards and Technology guidelines.\n\n\nOIT concurs with this recommendation. OIT is currently reviewing and updating their\npolicies, procedures and guidelines as pa rt of an IT policy review project.\n\n\n\nOIG Recommendation 7:\n\n\nThe Office of Information Technology"(OIT) should implement a me     \xef\xbf\xbd\nOIT\'s Servers and Storage Branch, or OIT\'s Security Branch when      ____\nstop performing   _ functions.\nOIT conc \xef\xbf\xbdmmendation. OIT will leverage existing tools to monitor the\nstatus of\xef\xbf\xbdocesses and alert the appropriate personnel if the process\nterminates.\n\nO\'G Recommendation 8:\n\n\n\n\n Assessment of SEC\xe2\x80\x99s System and Network Logs                               March 16, 2012\n Report No. 500\n                                    Page 31\n                            REDACTED PUBLIC VERSION\n\x0c                                                                              Appendix VI\n\n\n\n\nThe Office of Information                                  its plan   \xef\xbf\xbd computer\nscript that determines wtle\'lh"d                         producing    __\nOfT                        "\'   \xef\xbf\xbd\xef\xbf\xbd:!\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd n; OIT will leverage existing tools to monitor the\n                           I\xef\xbf\xbd\n                            I        ,     and determine if logging is actively occurring or\n\n\n\n\n Assessment of SEC\xe2\x80\x99s System and Network Logs                                March 16, 2012\n Report No. 500\n                                   Page 32\n                           REDACTED PUBLIC VERSION\n\x0c                                                                Appendix VII\n\n\n     OIG Response to Management\xe2\x80\x99s Comments\n\nWe are pleased that OIT concurred with the report\xe2\x80\x99s eight recommendations. We\nare also encouraged that OIT has indicated that they will initiate actions to\naddress the findings described in the report. We believe that OIT\xe2\x80\x99s proposed\nactions are responsive to the report\xe2\x80\x99s findings and recommendations and their\nimplementation of the recommendations will further aid in strengthening OIT\xe2\x80\x99s\ncontrols over the SEC\xe2\x80\x99s system and network logs.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s System and Network Logs                   March 16, 2012\nReport No. 500\n                                 Page 33\n                         REDACTED PUBLIC VERSION\n\x0c                     Audit Requests and Ideas\nThe Office of Inspector General welcomes your input. If you would like to\nrequest an audit in the future or have an audit idea, please contact us at\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Request/Idea)\n100 F Street, N.E.\nWashington D.C. 20549-2736\n\nTelephone: 202-551-6061\nFax:       202-772-9265\nE-mail:    oig@sec.gov\n\n\n\n\n      Hotline\n      To report fraud, waste, abuse, and mismanagement at the SEC,\n      contact the Office of Inspector General at\n\n      Telephone: 877.442.0854\n\n      Web-Based Hotline Complaint Form:\n      www.reportlineweb.com/sec_oig\n\x0c'